Content deleted Content added
→Web applications: reword for accuracy |
→Web applications: fixing formating |
||
Line 57:
*[[Authentication]] and [[authorization]] failures enable attackers to access data that should be restricted to trusted users.{{sfn |Strout |2023|p=13}}
*[[Business logic vulnerability]] occurs when programmers do not consider unexpected cases arising in [[business logic]].
*[[Cross-site scripting]] (XSS) enables attackers to [[code injection|inject]] and run [[JavaScript]]-based [[malware]] when [[input checking]] is insufficient to reject the injected code.{{sfn |Strout |2023|p=13}} XSS can be persistent, when attackers save the malware in a data field and run it when the data is loaded; it can also be loaded using a malicious [[URL]] link (reflected XSS).{{sfn |Strout |2023|p=13}} Attackers can also insert malicious code into the [[___domain object model]].{{sfn |Strout |2023|p=14}}
*[[SQL injection]] and similar attacks manipulate [[database queries]] to gain unauthorized access to data.{{sfn |Strout |2023|p=14}}
Line 66:
*[[Server-side request forgery]] is similar to CSRF, but the request is forged from the server side and often exploits the enhanced privilege of the server.{{sfn |Strout |2023|p=14}}
*[[Business logic vulnerability]] occurs when programmers do not consider unexpected cases arising in [[business logic]].{{sfn |Strout |2023|pp=14-15}}
==Management ==
{{main |Vulnerability management}}
| |||